Microprocessor resistant to power analysis

ABSTRACT

A secure microprocessor is designed using quad-coded logic which is similar to dual-rail encoded asynchronous logic except that the ‘11’ state propagates an alarm. The alarm signal obliterates secure data in its path. Quad-coded logic provides resilience to power glitches and single-transistor or single-wire failures. The already low data dependency of the power consumption makes power analysis attacks difficult, and they are made even more difficult by inserting random delays in data and control paths, and by a set-random-carry instruction which enables software to make a non-deterministic choice between equivalent instruction sequences. These features are particularly easy to implement well in quad-coded logic.

This application is a 371 of PCT/GB01/00311 Jan. 26, 2001.

TECHNICAL FIELD

This invention is related to the protection of confidential electronicdata against eaves-droppers who try to reconstruct it from theelectromagnetic emissions on power wires.

BACKGROUND OF THE INVENTION

Smartcards, and other electronic devices used for security purposes, arevulnerable to analysis of power consumption in order to extract secretdata [4, 5, 12, 14]. This technique, known as power analysis, can reveala lot of information about the work being done by the electronics,including the Hamming weights of signal transitions on the buses and theinstructions being executed. If circuits consume power in relation tothe data values being processed then the power signature contains secretdata in an encoded form. Given the algorithm being computed by amicroprocessor or other secure device, the eavesdropper can construct aset of input stimuli to obtain a corresponding set of power traces whichcan be used to extract the secret information [8].

A related threat to smartcard systems is direct physical attack. Thecard's packaging is removed and the signals on the bus, or elsewhere inthe processor, are read out using microprobes [9]. This step istypically used against some samples of the card to extract the card'ssoftware; once this has been done, an attack using power analysis can bedevised which will work against other cards of the same type without theneed to depackage them. A particularly grave threat is that such anattack might be implemented in a seemingly innocuous terminal, in whichmembers of the public might insert smartcards issued by a bank orgovernment in order to obtain some low cost service. For example, acriminal gang might set up a market stall and sell goods, but with thereal intention of obtaining cardholders' private or secret keys and thusforging smartcards which would later be used to loot their accounts orimpersonate them for welfare and other claims.

Another threat to smartcard systems is fault induction. Faults can beinduced in a number of ways, such as by introducing transients(‘glitches’) on the power and clock lines [14, 1]. These may cause theprocessor to malfunction in a predictable and useful way. Another attacktechnique, used in the context of an invasive microprobing attack, is touse a laser to shoot away alarm circuitry, or protective circuitry suchas access control matrices which only allow certain areas of memory tobe accessed following the presentation of certain passwords [9]. Inorder to ensure that the failure of a single circuit element (such as awire or transistor) cannot cause secret data to be leaked, somemanufacturers of defence electronic equipment use two-wire logic, thatis, logic in which each state is carried on two wires with ‘01’ meaning‘0’ and ‘10’ meaning ‘1’. To date, such circuits appear to have usedclocked rather than self-timed logic. As well as measuring the currentdrawn by the secure device, an attacker can also measure the time takenfor a cryptographic or other computation to execute [6]. We willconsider this to be a special case of power analysis.

Existing defensive technology includes randomised internal clockgenerators to deny precise timing information to an attacker [14],incorporating a number of oscillators and/or noise generators to providemasking signals, physical chip coatings to make probing more difficult,sensor grids in the top metal layer of the chip which may be brokenduring probing attacks and activate alarms [9], and mechanisms whereby arandom input may be used to make a processor execute equivalentsequences of instruction cycles, or insert nulls (no-ops) into theinstruction execution sequence [10.]

A secure device must therefore be protected in a number of ways.Noninvasive attacks based on power analysis must be made difficult, andto hinder attacks based on some combination of probing out the contentsof a chip, inducing faults (whether by applied glitches or by invasivedestructive methods such as laser shots), and power analysis, thecircuit must also be highly resistant to electromagnetic transientswhile being able to propagate alarms quickly in the event of an attackbeing detected. This combination of robustness and fragility has beenvery hard to achieve with existing silicon technology.

SUMMARY OF THE INVENTION

According to the current invention there is provided a microprocessorwith reduced data dependent power signature, resilience againstsingle-element faults, and an efficient alarm mechanism to propagatealarms through the chip quickly and thus make algorithm extraction viaprobing more difficult. It also uses asynchronous circuitry whichdecouples the internal execution from the device external interface. Thetechniques in our invention apply without loss of generality to securityprocessors which are not microprocessors, such as dedicated encryptionchips and modules which contain more than one chip (e.g., separateprocessor, cryptographic chip and RAM in a single package).

Our invention is adapted from dual-rail encoded asynchronous logicbecause in this technology, the power consumed can be made substantiallyindependent of the data being processed, and by the choice of suitabledesign rules, which should be clear to those skilled in the art, thedesign can be made resistant to single-transistor and single-wirefaults. Furthermore, such circuits are already known to be highlyresilient to variations in the applied power supply voltage. In ourinvention, alarms resulting from environmental sensors or from theactivation of other protective mechanisms can be propagated rapidlythrough the chip using many independent paths.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 presents an abstraction of a quad-coded data-path.

FIG. 2 is dual-rail AND gate which employs C-elements [11] to ensurethat the outputs (Z0 and Z1) only change state after the inputs (A0, A1,B0 and B1) have stabilised.

FIG. 3 illustrates a circuit for introducing random delays to an data orcontrol signal using a random delay source producing a random bitsequence. The output filter is based upon an asynchronous arbiterdesigned by Seitz [13]

FIG. 4 illustrates how the random delay element of FIG. 3 may beinserted into the circuit of FIG. 1. The data-flow control signal (11)is fed into the random delay circuit (of FIG. 3 and the output is fedinto the alarm circuit (or FIG. 1) at point (12) where the data-flowcontrol signal was originally inserted.

DETAILED DESCRIPTION

We define ‘quad-coded data’ as follows. We use two wires to representevery logical bit. This is similar to dual-rail (sometimes calleddouble-rail) encoded data [15] used in speed independent circuit design,except that we use the fourth state to propagate an alarm signal (seeFIG. 1). Obviously the binary encodings and their assigned meanings maybe permuted to suit the requirements of a particular implementation, butfor clarity we will illustrate our design using just this encoding.

TABLE 1 two wire data encoding schemes traditional dual-rail encodingquad-coded data A1 A0 meaning A1 A0 meaning 0 0 clear (or “undefined”) 00 clear 0 1 logical 0 0 1 logical 0 1 0 logical 1 1 0 logical 1 1 1 notused 1 1 alarm

A processor pipeline with a quad-coded data-path may be constructedusing well known dual-rail pipelining techniques [3]. Alarm signals canbe inserted using an OR function of the data and with a sense signalfrom a sensor (see FIG. 1). One sensor in our invention is based on aninstruction counter; the processor software can check that the expectednumber of instructions have been executed and alarm if this is riot thecase (as might happen, for example, under destructive probing attack).In the single circuit implementing the instruction by which this alarmis executed, we depart from the quad-coded logic rules described hereinso that an alarm hardware state may be generated from a non-alarmhardware state. Other sensors are outside the scope of this patent butmay typically be designed to detect out-of-bounds environmentalparameters such as over- and under-voltage and low temperature. This ORfunction can be combined with the combinational function indicated toassist the usual gate minimisation process.

Once an alarm signal has been injected into the data-path it obliteratesthe data in the pipeline since any dyadic function of a valid logiclevel (01₂ or 10₂) with an alarm signal (11 ₂) will result in an alarmsignal.

Logical inversion (NOT) of quad-coded data requires no gates—the wiresjust have to be swapped. Thus, a quad-coded NOT function has nooverhead. Further, inverting an alarm signal (11 ₂) outputs an alarmsignal.

It is well known that logic functions AND, NAND, OR and NOR can all beconstructed from one AND gate plus NOT functions using de Morgan's law.Since NOT functions propagate alarm signals, we just have to demonstratethat a quad-coded AND gate also propagates alarm signals. The circuitfor a quad-coded AND gate is illustrated in FIG. 2 and it can be seenthat if one or both inputs are alarm signals then the result will be analarm signal. XOR and XNOR functions can be constructed from NAND gatesin the usual manner.

Functions of more than two inputs can be constructed from these twoinput functions, though more efficient versions which still propagatethe alarm signal correctly are easy to define.

To ensure that alarm signals are propagated as quickly as possible,there are places in the chip where additional circuitry is used todetect the presence of an alarm (using an AND gate (5) in FIG. 1) andthen injecting that signal into another circuit as though it hadoriginated from an attack sensor. The placement of these alarmpropagators can be worked out by someone skilled in the microprobing artas described in [9].

As discussed in the previous section, quad-coded NOT functions areimplemented by swapping wires; no gates are required and so no power isconsumed. Other functions can be constructed from quad-coded AND gates +quad-NOT functions. The AND gate of FIG. 2 consumes the same amount ofpower regardless of the logical values on the inputs to the gates. Itfollows that the power consumed during a computation will be largelyindependent of the data being processed.

The most notable exception will be when data values affect the controlflow. For example, when computing a digital signature the criticalcomputation is often x^(y) modulo n, where y is the secret value. Asexponentiation is implemented using repeated squaring and doubling,depending on whether the bits in the binary expansion of y are zero or1, an opponent who can tell the difference between squaring and doublingby studying the chip's power consumption can deduce the secret value y.However, given a processor of sufficient performance, this residualvulnerability can be dealt with using defensive programming techniques,such as computing both the squaring and the doubling operation at eachstep and copying only the desired one of the two results to the nextstage of the computation. Self timed logic has the potential forsubstantially better performance than clocked logic in a smartcardenvironment, as the speed of the computation is limited only by theunderlying silicon process rather than the externally supplied clock.

The quad-coded circuits and defensive programming technique described sofar will reduce the data dependent power usage. However, data dependenttiming behaviour may be visible. To counteract this effect, additionalrandom delays are added to the data path and control path. This ispossible because these circuits are speed independent. The effect is farmore subtle than known clocked equivalents which slow the device by awhole clock period which is a predictable unit of time [7]. Randomdelays in the data-path or the control-path may be inserted using a thecircuit in FIG. 3. A standard pseudo random number generator may be usedto provide the random bit values (6). Data or control signals are fed inat (9). Contention between the random bit values and input (9) may causethe RS flip-flop (7) to go metastable but the filter (8) will preventthis metastable signal from propagating to the data/control output (10).The time it takes for the flip-flop to stabilise is non-deterministicand adds further randomness to the timing of the circuit.

Finally, in order to support the use of software defensive measureswhich can further reduce the intelligibility of any residual datadependent power signal, our microprocessor has an additionalinstruction: set-random-carry. This supports the idea in [10] whereby arandom choice is made between two equivalent but different sequences ofinstructions. The processor can jump to the two sequences usingbranch-carry-set and branch-carry-clear instructions. The implementationof the set-random-carry instruction is greatly facilitated by the use ofquad-coded logic because a free running pseudo-random number generatorbased on a shift register (or without loss of generality and oscillator)produces pseudo-random bits with a timing independent of the processorinstruction execution, and this bit stream is sampled when theset-random-carry instruction is executed.

REFERENCES

-   [1] Ross J. Anderson, Markus G. Kuhn: Tamper Resistance—a Cautionary    Note, The Second USENIX Workshop on Electronic Commerce, Oakland,    Calif., Nov. 18–21, 1996; Proceedings pp 1–11, ISBN 1-880446-83-9.-   [2] Ross J. Anderson, Markus G. Kuhn: Low Cost Attacks on Tamper    Resistant Devices, in M. Lomas et al. (ed.): Security Protocols, 5th    International Workshop, Paris, France, Apr. 7–9, 1997, Proceedings,    Springer LNCS v 1361, pp 125–136, ISBN 3-540-64040-1.-   [3]I. David, R. Ginosar and M. Yoeli: An efficient implementation of    boolean functions as self-timed circuits, IEEE Transactions on    Computers, Vol 41, No 1, pp 2–11, 1992.-   [4] Serge Fruhauf, Laurent Sourgen: Safety device against the    unauthorised detection of protected data, U.S. Pat. No. 4,932,053,    Jun. 5, 1990-   [5] Suresh Chari, Charanjit Jutla, Josyula R Rao, Pankaj Rohatgi: A    Cautionary Note Regarding Evaluation of AES Candidates in    Smart-Cards, Second Advanced Encryption Standard Candidate    Conference, Mar. 22–23, 1999, proceedings published by NIST, pp    133–147-   [6] Paul Kocher: Timing Attacks on Implementations of    Diffie-Hellman, RSA, DSS, and Other Systems, Advances in    Cryptology—Crypto 96, Aug. 18–22, 1996, Proceedings, Springer LNCS v    1109 pp 104–113-   [7] Paul Kocher, Joshua Jaffe, Benjamin Jun: Using unpredictable    information to minimize leakage from smartcards and other    cryptosystems, International patent application WO99/63696 (Dec. 9,    1999)-   [8] Paul Kocher, Joshua Jaffe. Benjamin Jun: Differential Power    Analysis, Advances in Cryptology—Crypto 99, Proceedings, Springer    LNCS-   [9] Oliver Kömmerling, Markus G. Kuhn: Design Principles for    Tamper-Resistant Smartcard Processors, USENIX Workshop on Smartcard    Technology, Chicago, Ill., USA, May 10–11, 1999-   [10] Markus G. Kuhn, Ross J. Anderson: Low Cost Countermeasures    Against Compromising Electromagnetic Computer Emanations, UK patent    application 9801745.2. (28 Jan. 1998)-   [11] R. E. Miller: Sequential Circuits, Chapter 10, In Switching    Theory, Volume 2, Wiley, N.Y., 1965.-   [12] Thomas S Messerges, Ezzy A Dabish, Robert H Sloan:    Investigations of Power Analysis Attacks on Smartcards, Proceedings    of USENIX Workshop on Smartcard technology, May 1999, pp 151–161-   [13] C. L. Seitz: System Timing, in Introduction to VLSI Systems,    edited by C. A. Mead and L. Conway, Addison-Wesley, 1992.-   [14] Eric Sprunk, Clock Frequency Modulation for Secure    Microprocessors, U.S. Pat. No. 5,404,402-   [15] Stephen H Unger: Asynchronous Sequential Switching Circuits,    Wiley-Interscience, 1969.

The above references are incorporated herein by reference.

1. A logical circuit comprising at least one logical function and atleast one connector connected to said logical function, wherein: said atleast one connector has two wires for each logical connection, such thateach wire has two logical states being a low logical state and a highlogical state, thereby to define four logical signals of said conductor,characterised in that: the circuit further comprises at least one attacksensor, said attack sensor being arranged so as to produce a normalsignal at all times except when an attack is detected, when an attacksignal is produced; a first one of said low logical signals is an alarmsignal, a second one is a low logical signal, a third one is a highlogical signal, and a fourth is a clear signal; on the or one of saidconnectors, each of said wires is connected to the input of a separatelogical gate, the other input of each of said logical gates is connectedto the attack sensor, the output of said logical gates being thecontinuation of said connector; and said logical gates being constructedso as to propagate the logical states of said wires when the inputsignal from the attack sensor is a normal signal and to propagate analarm signal when the input signal from the attack sensor is an attacksignal, regardless of the input from said wires.
 2. A logical circuitaccording to claim 1, wherein said alarm signal is represented by thesame logical state on both of said wires, said low logical signal isrepresented by a low logical state on the first of said wires and a highlogical state on the second of said wires, and said high logical signalis represented by a high logical state on the first of said wires and alow logical state on the second of said wires.
 3. A logical circuitaccording to claim 2, wherein said alarm signal is represented by a highlogical state on both of said wires.
 4. A logical circuit according toclaim 1, wherein said logical gates are OR gates and said attack sensoris arranged so as to normally produce a low logical signal to said ORgates and produce a high logical signal to said OR gates when an attackis detected.
 5. A logical circuit according to claim 1, furthercomprising additional logical functions which are arranged to detect theexistence of an alarm state.
 6. A logical circuit according to claim 5,wherein said additional logical functions act as attack sensors forother parts of said circuit.
 7. A logical circuit according to claim 1,wherein on at least one of said connectors, each of said wires isconnected to the input of a further logical gate, the other input ofeach of said further logical gates is connected to a control input, theoutput of said further logical gates being the continuation of saidconnector, and said further logical gates are arranged so that thepropagation of data along said connector is controlled by the controlinput.
 8. A logical circuit according to claim 7, wherein said furtherlogical gates are Muller C-elements.
 9. A logical circuit according toclaim 7, wherein said delay circuit comprises an RS flip-flop and afilter, the inputs to said flip-flop being a random generator and acontrol input, the outputs of said flip-flop being connected to saidfilter, and the output of said filter forming said control input to thelogical circuit, said filter being arranged so as to prevent ametastable state of the flip-flop being output.
 10. An alarm-propagatinglogical AND gate capable of receiving two four-valued logical signals asinputs and outputting a four-valued logical signal according to saidinputs, wherein said AND gate is adapted for use in a logical circuitwhere each four-valued logical signal is represented by the logicalstate of two wires, such that each wire has two states being a lowlogical state and a high logical state; a first one of said four valuesof each logical signal is an alarm signal, a second one is a low logicalsignal, a third one is a high logical signal and a fourth is a clearsignal; and said AND gate is constructed from standard logical gates soas to output a high logical signal when both of said inputs are highlogical signals, to output a low logical signal when one of said inputsis a low logical signal and the other input is either a low or a highlogical signal, and to output an alarm signal if either of said inputsis an alarm signal, regardless of the other input.
 11. A logical ANDgate according to claim 10, wherein said low logical signal isrepresented by a low logical state on the first of said wires and a highlogical state on the second of said wires, said high logical signal isrepresented by a high logical state on the first of said wires and a lowlogical state on the second of said; wires, and said alarm signal isrepresented by the same logical state on both of said wires.
 12. Alogical AND gate according to claim 11, wherein said alarm signal isrepresented by a high logical state on both of said wires.
 13. A methodof propagating signals in a logical circuit wherein each logical, signalis represented by two logical states, carried on separate wires, saidtwo logical states being a low logical state and a high logical state,thereby to define four logical signals, characterised in that: a firstone of said logical signals is an alarm signal, a second one is a lowlogical state, a third one is a high logical state and a fourth is aclear signal; said low logical signal is represented by a low logicalstate on the first of said wires and a high logical state on the secondof said wires, said high logical signal is represented by a high logicalstate on the first of said wires and a low logical state on the secondof said wires and said alarm signal is represented by the same logicalstate on both wires; and dyadic combining of said alarm signal with anyof other said signals results in the propagation of an alarm signal. 14.A method of propagating signals in a logical circuit according to claim13, wherein said alarm signal is represented by a high logical state onboth of said wires.
 15. A method of protecting the data and operation ofa secure electronic device wherein the logical signals within thecircuitry are propagated according to the methods of claim 13,comprising the steps of: detecting an attack with an attack sensor;causing an alarm signal to be set in at least one part of the device;propagating said alarm signal throughout the device to erase any secretdata being processed by the device.
 16. A logical circuit comprising atleast one logical function and at least one connector connected to saidlogical function wherein: said at least one connector has two wires foreach logical connection, such that each wire has two logical statesbeing a low logical state and a high logical state, thereby to definefour logical signals of said connector, characterised in that: thecircuit further comprises at least one attack sensor, said attack sensorbeing arranged so as to produce a normal signal at all times except whenan attack is detected, at which time an attack signal is produced by theattack sensor; a first one of said low logical signals is an alarmsignal, a second one is a low logical signal, and a third one is a highlogical signal; on the or one of said connectors, each of said wires isconnected to the input of a separate logical gate, the other input ofeach of said logical gates is connected to the attack sensor, the outputof said logical gates being the continuation of said connector; and saidlogical gates being constructed so as to propagate the logical states ofsaid wires when the input signal from the attack sensor is a normalsignal and to propagate an alarm signal when the input signal from theattack sensor is an attack signal, regardless of the input from saidwires.
 17. An alarm-propagating logical AND gate capable of receivingtwo four-valued logical signals as inputs and outputting a four-valuedlogical signal according to said inputs, wherein said AND gate isadapted for use in a logical circuit where each four-valued logicalsignal is represented by the logical state of two wires, such that eachwire has two states being a low logical state and a high logical state;a first one of said four values of each logical signal is an alarmsignal, a second one is a low logical signal, and a third one is a highlogical signal; and said AND gate is constructed from standard logicalgates so as to output a high logical signal when both of said inputs arehigh logical signals, to output a low logical signal when one of saidinputs is a low logical signal and the other input is either a low or ahigh logical signal, and to output an alarm signal if either of saidinputs is an alarm signal, regardless of the other input.
 18. A methodof propagating signals in a logical circuit wherein each logical signalis represented by two logical states, carried on separate wires, saidtwo logical states being a low logical state and a high logical state,thereby to define four logical signals, characterised in that: a firstone of said logical signals is an alarm signal, a second one is a lowlogical state, and a third one is a high logical state; said low logicalsignal is represented by a low logical state on the first of said wiresand a high logical state on the second of said wires, said high logicalsignal is represented by a high logical state on the first of said wiresand a low logical state on the second of said wires and said alarmsignal is represented by the same logical state on both wires; anddyadic combining of said alarm signal with any of the other said signalsresults in the propagation of an alarm signal.